CVE-2022-42903 is a vulnerability identified in Zoho ManageEngine SupportCenter Plus, specifically affecting versions up to 11024. The issue allows low-privileged users to access and view the organization users list, which is typically restricted to higher privilege levels. This vulnerability is classified under CWE-862, which pertains to improper authorization. The flaw arises because the application does not adequately enforce access controls on the user list resource, permitting unauthorized disclosure of user information. According to the CVSS v3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), the vulnerability requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N). The scope remains unchanged (S:U), and the impact is limited to confidentiality (C:L) without affecting integrity or availability. No known exploits have been reported in the wild, and no official patches or mitigations have been linked in the provided data. The vulnerability was published on November 17, 2022, and is considered low severity with a CVSS score of 3.3. The exposure of the user list could potentially aid attackers in reconnaissance activities, such as identifying valid user accounts for subsequent phishing or social engineering attacks, but does not directly compromise system integrity or availability.

For European organizations using Zoho ManageEngine SupportCenter Plus, this vulnerability primarily poses a confidentiality risk by exposing user account information to unauthorized low-privileged users. While the direct impact on system operations is minimal, the unauthorized disclosure of user lists can facilitate targeted attacks such as spear-phishing, credential stuffing, or lateral movement within the network if combined with other vulnerabilities or weak security practices. Organizations in sectors with strict data protection regulations, such as GDPR, may face compliance risks if user information is exposed without adequate controls. The impact is more pronounced in environments where user lists contain sensitive role or contact information that could be leveraged by threat actors. However, since exploitation requires local access and low privileges, the threat is somewhat mitigated by existing network segmentation and access control policies. The absence of integrity or availability impact means that the vulnerability does not directly enable data manipulation or service disruption.

To mitigate this vulnerability, European organizations should implement strict access control policies ensuring that only authorized personnel can access user lists within ManageEngine SupportCenter Plus. Network segmentation and the principle of least privilege should be enforced to limit local access to the application, reducing the risk of low-privileged users exploiting this flaw. Organizations should monitor and audit user access logs to detect any unauthorized attempts to view sensitive user information. If possible, upgrading to a fixed version of the software once available is recommended. In the interim, applying compensating controls such as restricting access to the application interface via VPN or internal network only, and employing multi-factor authentication for all user accounts can reduce exploitation likelihood. Additionally, educating users about phishing risks and monitoring for suspicious activities can help mitigate secondary risks arising from information disclosure. Finally, organizations should engage with Zoho support channels to confirm patch availability and timelines.